On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie <sigbj...@nixtra.com> wrote:

>  On 09/02/2012 04:37 PM, Natxo Asenjo wrote:
> One thing I have not yet gotten to work is that these changes are not
> persistent accross reboots. The ldapclient config stays, but the service
> ldap/client does not start (stays disabled) and nsswitch.conf missess the
> ldap entries. So far I am fixing this from cfengine (gotta love it).
> So apparently, for solaris 10 and newer versions, the procedure outlined
> in http://freeipa.com/page/ConfiguringSolarisClients is no longer
> necessary as far as the ldap client is concerned.
> I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I
> use a DUAProfile with ldapclient. This stays configured and the ldap/client
> service is enabled across reboots.
> There is a DUAProfile included by default with IPA, but it requires some
> tweaking to support more than just the basic features. See this bugzilla
> for a more comprehensive example:
> https://bugzilla.redhat.com/show_bug.cgi?id=815515
> ok, looks nice. I did not know about this automatic config tool. So If run
ldapclient init -a profileName=default kdc.ipa.asenjo.nx it should work.
Yes it does, awesome.

Unfortunately, it keeps stopping after a reboot:

Sep  2 20:05:19 Enabled. ]
[ Sep  2 20:05:31 Executing start method ("/lib/svc/method/ldap-client
start"). ]
[ Sep  2 20:05:38 Method "start" exited with status 0. ]
[ Sep  2 20:05:38 Stopping because service disabled. ]
[ Sep  2 20:05:38 Executing stop method ("/lib/svc/method/ldap-client
stop"). ]
[ Sep  2 20:05:38 Method "stop" exited with status 0. ]

> There is also some more info about configuring Solaris clients in this
> bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=815533
> The ldap/client service is enabled when you run the ldapclient script.
> There should be no need for doing this manually.  When you run ldapclient,
> run it with the -v flag and look for errors.
I have rerun ldapclient after running ldapclient uninit and saw no errors.

> After a reboot, what does "svcs -xv ldap/client" output?

# svcs -xv ldap/client
svc:/network/ldap/client:default (LDAP client)
 State: disabled since September  2, 2012 08:05:38 PM CEST
Reason: Temporarily disabled by an administrator.
   See: http://illumos.org/msg/SMF-8000-1S
   See: man -M /usr/share/man -s 1M ldap_cachemgr
   See: /var/svc/log/network-ldap-client:default.log
Impact: This service is not running.

But I have not temporarily disabled it (option -t to svcadm, I believe).

Is the services is depend on in online state? "svcs -d ldap/client"
 # svcs -d ldap/client
STATE          STIME    FMRI
online         19:51:58 svc:/system/filesystem/minimal:default
online         19:51:59 svc:/network/initial:default
online         19:52:10 svc:/network/location:default

What does /var/svc/log/network-ldap-client:default.log display after a
> reboot?
> see above.

What files do you have in /var/ldap?

 ls -l /var/ldap/
total 7
-rw-r--r-- 1 root root 2368 2012-09-02 15:28 cachemgr.log
-r-------- 1 root root  100 2012-09-02 11:16 ldap_client_cred
-r-------- 1 root root  371 2012-09-02 11:16 ldap_client_file
drwxr-xr-x 2 root root    4 2012-09-02 11:16 restore

> What is the content of the /var/ldap/ldap_client_file?

# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
NS_LDAP_SERVERS= kdc.ipa.asenjo.nx
NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=asenjo,dc=nx
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount

Thank for your tips. I think there might just be something broken with the
ldap/client service in openindiana. This DUAProfile thing is really nice to

Freeipa-users mailing list

Reply via email to